https://bugs.openldap.org/show_bug.cgi?id=10041
Issue ID: 10041 Summary: unnecessary dynlist evaluation Product: OpenLDAP Version: 2.5.14 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: david.coutadeur@gmail.com Target Milestone: ---
Created attachment 963 --> https://bugs.openldap.org/attachment.cgi?id=963&action=edit openldap config + data for showing the dynlist usecase
Evaluation of member of dynamic groups by dynlist can be slow.
However, in some context, the evaluation is not necessary, especially when searching object that are not dynamic groups.
You can find attached a configuration and data file showing the use case: - 10000 users - 100 static groups - 5000 dynamic groups, with a filter (&(uid=user*)(objectClass=person), grabbing all users
Example of "normal" slow search ~ 115s:
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(member=uid=user1,ou=people,dc=my-organization,dc=com)'
Example of abnormal slow search ~ 115s:
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(&(objectClass=groupOfNames)(member=uid=user1,ou=people,dc=my-organization,dc=com))'
Here, the filter about the objectClass could be evaluated first to avoid unnecessary search in dynamic groups.
Example of rapid search with DSA IT ~ 1ms:
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(&(objectClass=groupOfNames)(member=uid=user1,ou=people,dc=my-organization,dc=com))' -M
https://bugs.openldap.org/show_bug.cgi?id=10041
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=10044
https://bugs.openldap.org/show_bug.cgi?id=10041
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Target Milestone|--- |2.6.5 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10041
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #1 from Howard Chu hyc@openldap.org --- David, could you try https://git.openldap.org/openldap/openldap/-/merge_requests/617 and see how much perf difference it makes for you?
https://bugs.openldap.org/show_bug.cgi?id=10041
--- Comment #2 from David Coutadeur david.coutadeur@gmail.com --- Ok, I'll give it a try
https://bugs.openldap.org/show_bug.cgi?id=10041
--- Comment #3 from David Coutadeur david.coutadeur@gmail.com --- The given patch (https://git.openldap.org/openldap/openldap/-/merge_requests/617.patch) seems to fix the issue!
On a new machine, with a fresh-compiled standard OpenLDAP 2.5.14: ~99s
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(&(objectClass=groupOfNames)(member=uid=user1,ou=people,dc=my-organization,dc=com))'
slapd[151155]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000049 etime=99.383118 nentries=1 text=
On the same machine, with a fresh-compiled OpenLDAP 2.5.14 + 617.patch: ~2.6ms
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(&(objectClass=groupOfNames)(member=uid=user1,ou=people,dc=my-organization,dc=com))'
slapd[220887]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000053 etime=0.002617 nentries=1 text=
Thanks for the quick fix Ondrej and Howard! Could you consider applying this patch also on OpenLDAP 2.5 branch?
https://bugs.openldap.org/show_bug.cgi?id=10041
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.5 |2.5.15
https://bugs.openldap.org/show_bug.cgi?id=10041
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- head:
• 992815ce by Ondřej Kuzník at 2023-05-05T16:55:01+00:00 ITS#10041 Restrict group searching
RE26:
• 132d9b5c by Ondřej Kuzník at 2023-05-15T17:54:09+00:00 ITS#10041 Restrict group searching
RE25:
• c5b09983 by Ondřej Kuzník at 2023-05-15T17:57:46+00:00 ITS#10041 Restrict group searching
https://bugs.openldap.org/show_bug.cgi?id=10041
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org